Your question boils down to whether a VM snapshot will include a copy of the UEFI variables and/or UEFI NVRAM. I cannot answer this question for all available virtualization solutions, but for those I have been using (Hyper-V, Virt-ualBox, and QEMU/KVM based ones like Proxmox) I can confirm that at least in their latest version, the VM snapshot includes all of this, so it is sufficient to create a VM snapshot to protect against incorrect Secure Boot configuration changes.

That being said, I don't know of any likely scenario where a Secure Boot certificate update can screw your VM so badly that you need to revert to a previous snapshot. In case you use BitLocker in the VM, make sure to have your Recovery Key handy just in case.

(There used to be an older version of Vir-tualBox where not all UEFI variables - like dual-boot configurations - were part of the snapshot, which could cause confusion when restoring snapshots after an OS install - not only related to Secure Boot settings. But I believe this was before Vir-tualBox supported Secure Boot for VMs).

[Ouch, naming of competitor products is not allowed in this community?]